Cybersecurity experts have identified ransomware groups, notably Anubis, exploiting a critical vulnerability known as Citrix Bleed 2 (CVE-2025-5777) for initial system access. This flaw allows attackers to bypass authentication on Citrix NetScaler systems configured as Gateways, posing a significant threat to various sectors.
Understanding the Anubis Ransomware Operation
Anubis, a rebranded entity of the former Sphinx ransomware group, surfaced in late 2024 and gained notoriety in early 2025. The group operates on a Ransomware-as-a-Service (RaaS) model, enticing affiliates with lucrative profit-sharing schemes while deploying sophisticated data-wiping tactics to ensure ransom payments.
In a recent report, Arctic Wolf highlighted Anubis’s strategy of using legitimate remote access tools to mask their activities within normal IT operations. Such tools include ScreenConnect, Zoho Assist, and others, which facilitate lateral movement and maintain control over compromised systems.
Exploiting Vulnerabilities and Credential Theft
In addition to exploiting Citrix Bleed 2, Anubis affiliates utilize valid VPN credentials obtained from various sources, including initial access brokers and credential stuffing attacks. This approach has been observed across multiple sectors, particularly in the U.S., U.K., and other major economies.
Further analysis revealed that attackers employ techniques like RDP and PsExec for lateral movements within networks, deploying additional remote management tools to sustain their presence and exfiltrate data. They also disable security features to thwart detection and complicate forensic investigations.
Emerging Threats and Strategic Partnerships
In parallel developments, the ransomware landscape is witnessing collaborations such as that between VECT and TeamPCP, announced in early 2026. This partnership leverages supply chain attack-driven credential theft, amplifying the efficiency of ransomware deployment.
Recent findings expose flaws in VECT’s encryption mechanisms, leading to data destruction rather than encryption for files exceeding certain sizes. Despite these setbacks, the strategic alliance signifies a shift towards more industrialized forms of cybercrime, lowering barriers for malicious actors.
The use of zero-day vulnerabilities, as demonstrated by The Gentlemen RaaS group, further exemplifies the evolving threat landscape. By exploiting weak credentials and vulnerable drivers, they achieve kernel-level access, disabling advanced security measures and enhancing their attack capabilities.
As ransomware tactics grow increasingly sophisticated, organizations must fortify their defenses against these persistent threats. Continuous monitoring, patch management, and employee training are crucial components in mitigating the risks posed by such cybersecurity adversaries.
